Posted
by
jamie
on Thursday March 08, 2001 @06:15PM
from the hit-me-baby-one-more-time dept.

Wanker writes "An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the
SANS security site."
Says SANS, "The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations" of the IIS, MS SQL Server and Windows NT breakins. We don't normally post news about exploits, but the scale here is massive: more than a million credit cards have been taken in a blackmail-extortion operation that has been going on for a year. Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...
Update: 03/09 03:37 AM GMT by J: Microsoft says,
Don't Be A Victim!.

If you are an NT admin or know someone who is, note especially:

"Within a day or two, the
Center for Internet Security
will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems...

"The Center's tools are normally available only to members, but because of the importance of this problem, the Center agreed to make the new tool, built for the Center by Steve Gibson of Gibson Research) available to all who need it."

"What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS"

Why not use a proxy to trap this? It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com (hopefully cacheable). Of course, non-IIS servers can have holes too, so it would be useful to generalise this to look up against server-auditing services (if there are any that can be trusted).

"Its getting trite to point out how anti-MS the Slashdot trolls^H^H^H^H^H^Heditors are, but..."

Very True. This guy shouldn't have been modded "Troll". If moderatore/slashdot/posters/etc... can't say anything nice, we are talking to ourselves. Let the FBI be the bad guys here. Use quotes from what the Story had to say for the negitive and concentrate on the positive.

"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."

"I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around."

That is totally true, for some ass kissing is enough.

"In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things."

Thats it, all updated up to the minute. Even if someone is waiting just for your box they may never get in!

"I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid."

"less clueful"---->probably, I honestly think most people here are tring to help you discover what we have discovered about computers and the good side of the source.

"(less) responsible"---->If anybody tells you that they just a jerk. They are "fucking stupid" They don't speak for everyone though.:)

But so what? Your DB shouldn't be accessible to outsiders anyway. It should be "hidden" somewhere unreachable, preferably in nonroutable space (RFC1918). Your applications need to reach it. Outsiders don't.

Of course, using UNIX is no magic solution. I know of a company that deals (if they still exist) with *money* in their DB. The child DBA installed Sybase on a public IP and left the password blank. That he did this on a Solaris box didn't make a difference; it was still stupid.

Needless to say, they didn't bother with a firewall.

Back to your message: hardcoding *any* password is an invitation to problems. I know of a different company that had a password hardcoded throughout their software. This was a password which provided login access to the web servers (among other things). Of course, an ex-employee of reduced morals exploited this and gave them a nice "rm -rf/" to consider.

It wasn't the root password, so it didn't kill everything. But it took out all of their application software.

They'd have changed the password more often, but "it was too hard" to do so because it was encoded all over the place.

We won't even discuss the wisdom of how this company organized their file ownerships and access rights.

So the blank password is really a red herring. Access to the DB from outside is wrong. Hardcoding any password is wrong.

Too bad Windows Update is not kept updated. Follow Bugtraq, and subscribed to the MS lists for awhile. They have fixes available for download for weeks to months before they show up on Windows Update. You can't depend on that service, you have to poke and prod, and keep your ear to the ground yourself.

I installed RedHat 5.2 on a server on the internet at a previous place of employment.
I later quit that job. After that, no patches
were applied to that box, which was the company mail server.

I later heard, from a friend of a friend who still works there that the box was hacked.

When you put your credit card number into a web site, how do you know if they have a full staff
to maintain the boxes and network where your
credit card is stored?

At my current place of employment, an NT/IIS based web site was recently defaced. So they ran down
the list of measures required to close the holes
and sent them to the list of sysadmins for all the boxes outside the firewall.

Not all the measures where service packs. Some involved disabling RDO. Luckily, there were
no credit card numbers involved.

Kernel versions and service packs are not enough.
To greatly reduce the chance of being hacked, you have to have
good people given enough time to keep checking the
security alerts and changing the box configurations (both Linux and NT) to keep all
the known security holes shut.

Nothing, we don't get nothing.Your wallet is stolen and you can report to police, your credit card and personal data is stolen and you don't even know, even if the ones that were keeping the info knew that it was stolen.
All this is very flawed.
MY data belongs to me, I claim the right to have it myself and just me, I don't want to be stored anywhere.
If I show you my car you don't assume it is yours know, why the heck should retailerwhatever.com feel the right to keep my data in a database just because I showed them for the purpose of buying once in a lifetime? Don't store my data anywhere and if someone breaks in your computers, I don't give a damn thing them, it is your problem. But no... it has to be the other way, store my data, a criminal breaks in, takes it, I am stolen, you never tell me and now it is YOU that don't give a damn, after all it is me that has been stolen.Sorry for the rant.

Of course, some programmers know this potential side effect of service packs, and take care to warn their product's users.

For instance, at my employer, we often use a particular web server package with Windows NT 4. Our corporate standard is NT 4 with SP4 (I have no idea why.) When I go to install the webserver on a standard box, up will come a little message to the effect of:

Windows NT Service Pack 4 has been detected on this computer. This product has not been tested with SP4. Do you wish to continue with the installation?

We click 'Yes', and fortunately for us, the program works without a hitch.

What is this product, and who is the far sighted software company that knows not to trust Microsoft's SP updates?

Don't forget, the easier to build an e-commerce site is to use, the easier it is to get screwed. Gee,
Mr. Jeff Bozos, Internet Get Rich Quicker: "NT is quick out of the box and everyone uses it, well I should put my E-Business on it. Teehee, install and forget? Keen!"
Urie the 3l1t3 Russian Haxor: "Haha! What is this? SP3? Time for me to beink getting pizza, with some person other than me's kredit kards! Da, is good!"
Bozos: "Whuzzis? I don't know nothin' about upgradin' no servers and what is this here, 'Securitee Upduhate Neheeded?' This computer stuff makes me thirsty, what was the button Homer pressed?"
Urie: "Yes, I would like 350 large pizzas, with everything, and borscht for 200. Nyet? No borscht.... is okay! Could you be makink design out of anchovies on pizza? Da? Could it be beingk a [mumble mumble] Be deliverink it to Mr. Jeff Bozos at junglebooks.com for me. Da, is good."
What will Jeff do when he discovers that his
valuable credit card database has been stolen? Will he call the cops? Notify his customers? Eat the anchovie pizza? We'll find out next time on, "As the Tech Bubble Bursts!"

Damn straight! The best way to ruin your uptime is to be doing unnecessary things to the computers...

I admin at a research lab, and the GSR's (graduate student researchers) are always asking me "Can you install Matlab6"? To which I reply, "Whats wrong with matlab 5.1?"... "Well, the EE department has matlab 6..." "We will to, as soon as you can tell me why we need it."

Granted, In this case the windows patches were definatley not-optional, but I understand the mind frame that wouldn't wanna install them.

It's really nice of Microsoft to do that, and to add the automatic update functionality in Windows ME, but that misses the key problems.

First, Microsoft does not adequately test its service packs. There was a very embarassing series of "service packs required to fix prior service pack" with NT4. I think it ran from SP4 through SP7. If installing a service pack may take down your system, only an idiot will allow it to be done automatically or "casually."

Second, Microsoft is notorious for doing more than simple bug fixes in its service packs. Sometimes that functionality is useful, more often it breaks installed third-party applications. Again, only an idiot will allow it to be done automatically or "casually."

In many ways, this "feature" reminds me of the joke about the helicopter pilot lost in the fog over the Microsoft campus. This feature might look helpful to the casual observer, but it ignores the real problems.

Who said that the cc numbers were actually on the webserver? If you can attack the webserver in such a way as to have it execute code, it can easily connect to a second db server. OR... You can see the source code, grab database passwords often in plaintext in the sourcecode, and hit the SQL Server database with enterprise manager remotely - unless they've wised up and had SQL server ports blocked except from trusted sources. From what I've seen, that's doubtful. People will spend thousands on a firewall for SQL server rather than just restrict access to specific IP address at the network card level.

Actually, the version of SP4 I used, and still use (I start with SP3, then apply the rest in sequence) is the 128-bit download version. I have SP4 on the SQL 7 cd, and SMS 2, but I prefer to use the downloaded version for my NT service packs. To use the cd, I either have to put up with the neato-keano GUI crap, or dig through the cd to find the installer. Easier to download it, and keep it in an easy to find place. Anyway, the point of this was that the download version does bitch at you if you haven't updated MDAC, and don't have the correct version of IE installed.

Yes, you can run ssh on windows. You can even install korn shell and get SOME scripting capabilites. What you can't do is effectively deploy software updates in this manner.

NT4 Service Pack 6a. Thanks for bringing this up. Try grabbing an older NT4 CD with Service Pack 1 and installing 6a on it. I've done this several times... I refused to believe fellow NT admins that upgrading from SP1 to 6a was a bad idea. That is until the systems I installed blew up and died once I configured IIS and JRun, and theirs didn't. Make sure you install 3 or 4 before installing 6a or the system will be VERY unreliable. One of the boxes I did this way bluescreened and never booted again.

I can't wait to tell the sysadmins about your last point: "same amount of time." Both the UNIX and NT guys will find that hilarious.---

because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things

Well, most commercial *nixes do have "huge monolithic service packs". I've just finished setting up ten Solaris 2.7 servers, and all I had to do was run the Maintenance Update, then the latest Recommended package zip from Sun. Basically, two service packs.

You've just been looking at the Linuxes, where this level support is not there yet (although Debian and apt-get are getting there.)

Of course, if you routinely install GNU or open source software, you'd have to maintain that yourself, but any competent admin can roll their own update tarballs.

Admins aren't stupid because they use NT. It's just that stupid admins prefer NT. I've met some really competent NT admins, although for some reason they almost always look like they could use a lot more sleep.:)

In some cases, yes, it's how things get fixed. When a company does something stupid that endangers or inconvienences its customers, the only way to get them to change their behavior is to make sure the financial impact to them is substantial. Hiring incompetant admins or overloading your admins to the point where they're always putting out fires with no time to keep up with security will save the company money. So you need to go to court and make sure it costs more to do that than to hire enough good admins to make sure your site stays secure.

> I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?

www.ssh.com. Remote administration for NT. Please research your information before speaking out of your ass.

> The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.

Really? That's news to me. I'm using NT4 with Service Pack 6a without a hitch. Perhaps it's just you.

> Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?

Windows Update *only* includes updates to the OS, and even then they aren't comprehensive and are always late. Moreover, the patches for IIS, SQL, ISA, and others are buried deep within Microsoft's site. Microsoft needs something similar to Debian's apt-get which would allow a sysadmin to browse all the available updates and hotfixes then choose which ones to install. How many hotfixes are going to be in Win2k SP2 alone? Hundreds, how can a sysadmin with more than one computer make sure all of them are installed. Oh yeah, don't forget that they have to be done in the middle of the night so no uptime is lost.

My idea, Microsft releases a OSPS (Operating System Patch Server), sort of like Norton and Anit-Virus updates but for Microsoft products. That way you would only have to patch the OSPS machine manually!

Cool! I'll have to use this utility to select the next web sites I'll crack. I used to have to run tons of different 1337 scripts to accomplih that same goal, but now it looks like I can do it all with one app.:)

I'm not sure why this was rated offtopic. Troll, maybe:) I was joking when I wrote it, but I was trying to make a point, too. Whenever these powerful security analysis tools are released, often times they're equally useful to black hats as well as legit folks. Remember when that SATAN tool was released years ago?

Hopefully, maybe the tool they're releasing can't even diagnose the flaws of NT directly. Maybe you have to run it directly on the NT box you're looking at. I hope that's how it works, because otherwise hackers will have a field day with it remotely scrutinizing people's boxes.....

Why worry about the kernel so much? I can't think of any major DoS exploit in the Linux _kernel_ that has shown up in the past year or so. If your user-space applications (like bind, sendmail, etc) are properly maintained, then you will likely have a very secure system. And you don't need to reboot in order to upgrade bind.

Try upgrading DNS, WINS, IIS, and KERNEL32.DLL on a Windows machine (even the oh-so-holy W2K) without a reboot. Can't be done. Reboots mean more downtime; and downtime is bad -- so these things don't get done often. Not to mention the fact that the requirements for becoming a "NT SysAdmin" are not exactly that strict -- so the _average_ level of competence is going to be higher for Unix admins then NT admins (you need to know what you are doing to get into a Unix shop).

Note that I'm not saying _all_ NT admins are dolts. Just a large number of them.;)

I think that the real problem here is that a lack of diversity in OS's creates huge security problems. ie: One world, One Operating System, One exploit.

Um, this is on the server, where Microsoft dosen't have a monopoly, not even a plurality. According to netcraft [netcraft.com], that title belongs to Apache [apache.org].

So what's microsoft's problem?

There are a number of them, as I see it:

Microsoft dosen't have a good mechenisim for staying up to date on the latest patches. For example, I can put security.debian.org in my/etc/apt/sources.list, and set cron to run apt-get upgrade nightly. This will automagically install any security patches with no user intervention. Even non-debian distributions have mechenisims like manually-installable packages and quick (and honest) reporting of security issues, which make it easy to stay up to date.

Their closed-source and propietory systems extend the time between an exploit being found, and a usable patch being produced. For a classic example, look at the Ping of Death [uni-karlsruhe.de]. Linux had a patch out in (exactly) 2 hours, 35 minutes, and 10 seconds. Microsoft took almost a month.

This is the most important: Microsoft administraters tend not to be as good at network administration as Unix administraters. I'm not trying to insult any softies out there, and I'm sure there are some really good Microsoft admins and poor Unix admins, but with Microsoft handing out MCSE's to any dipshit who can memorize a questions book (but probably has no experence or training with security), it's bound to happen. Unix administraters have (generally) taught themselves, which means they have many years of practical experence with their OS, or learned Unix at a real academic instution, which means that they got more than just the crash course.

Bruce Schneier once called security a "process, not a product". Microsoft has tried to pretend that they are selling a product. That you go to the store, buy Microsoft Foo 2000, pull the disks out of the shrink wrap, and use it like you'd use a television or a vacume cleaner. An Operating System is too complex of a beast for that to be the case, and no amount of Wizards or flying folders is going to change that simple fact.

SP6 broke everything that required a TCP port higher than 1024, IIRC, that was running with an administrator account.

On our PDC, we had our vendor come in to apply SP3 after it had been out for a couple months. It took 5-6 hourse, and a couple dozen reboots, since explorer would hang immdiately after login. All that could be done was reboot, again, and again, and again, until finally it came up.

SMS 2.0 gave me fits last year, as it claimed it required "NT4 SP4 or later, IE 4 or later." Well, I installed SP6a and IE 5.0 SP1, and the little fucker just wouldn't run. Turns out that the MS "Cumulative Service Packs that contain all updates from previous packs," DON'T contain the MDAC or Y2K updates included w/SP4. Bastards.

Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing.

It's also that unix systems tend towards programs which each do a single task. With NT being more huge programs doing multiple tasks. The same idea applies to patches vs "service packs".Thus it's probably easier for someone to work out what a un*x box is actually doing than an NT box in the first place.

I think that the real problem here is that a lack of diversity in OS's creates huge security problems.

It may or may not create security problems, what it does do however is make expolits far more serious.A software monoculture carries many of the same risks as an agricultural monoculture.Even more so if all the distributions are binaries. Since the likes of buffer overflows depend on what's in the binary.

This is what always gets me about Windows NT. It is absolutely insane the crazy dancing-in-the-moonlight, chickenbones-waving stuff that you have to do to get it to work. Every update requires a reboot, or three. And half of the fixes break more things than they fix.

The fact of the matter is that Windows is much harder to keep up to date than even the cruftiest of *nix boxes (well, maybe not the cruftiest).

This may be something obvious that everyone other than me knows...
scenario: I shop at x.com, and my credit card info is stored there. x.com gets hacked.
- Does x.com have not notify anyone that their card info has been stolen?
- If so, who? Card issuer? Card holder?
- If the card issuer is told a card number is comprimised, do *they* take any action?... or, is it up to us to notice funny charges?
Mike

You forgot the weather! That's one of the most important considerations when patching MS software. Don't ever, EVER do it in foul weather. A good UPS is no protection from the bad juju. After rebuilding our Exchange Swerver from the ground up as a result of Service Packing during a heavy downpour, I've learned my lesson, by God!

I think that the real problem here is that a lack of diversity in OS's creates huge security problems.
ie: One world, One Operating System, One exploit.

It's a combination of both. As Linux gains popularity and takes on more novice users, exploits of Apache have skyrocketed, almost to the point where Linux/Apache is as 'sploit-prone as NT/IIS. This has less to do with the inherent security of the OS than with the practises of the people who deploy them. I suspect you'd see the exact same situation happening if OpenBSD were gaining popularity the same way that Linux has recently.

Microsoft made their OS so user friendly that upper management thinks you can get away with hiring a trained monkey to admin their systems. Which is for the most part true, right up until the skript kiddies move in and take over. Those experienced admins with the six digit salaries are worth the money you pay them.

I'd like to start seeing some liability lawsuits against companies whose admins apparently can't be bothered to keep up with the current security updates. Either the admins can't be bothered because they don't know their ass ends from their elbows or they are so overloaded that something slips by them. In either case, the company is at fault.

Its getting trite to point out how anti-MS the Slashdot trolls^H^H^H^H^H^Heditors are, but...

Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...

I'm a programmer. I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around. In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things. I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid.

Hmm.. most credit cards (major ones, Visa, Master, etc etc) have specified liability for you. Thats typically $50, or $150 which you can never be held liable for, so long as you are not actively complicit in helping someone commit a fraud.

I had a problem a while back with a card that I had never used ($5k limit) and suddenely one day i got a bill for tons of shit. I didnt have to pay a dime when it was all done and said, just sign a statement saying I didnt buy any of that shit and I was willing to press charges against anyone they arresetd for the crime.

"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems... "

Cool! I'll have to use this utility to select the next web sites I'll crack. I used to have to run tons of different 1337 scripts to accomplih that same goal, but now it looks like I can do it all with one app.:)

"Warning! You seem to be about to send your credit card # to www.esomewhat.com. Since this website is running the Microsoft IIS Webserver (which is known to be very easy to hack) you should think twice before doing so!"--------------------------------------

I do software development on Windows NT at work. One of the programs I work on started development on a Windows NT 4 SP3 system. Had everything working just fine, including this little (okay, slightly flakey) graphics package. Got switched to working on something else, and during this "upgraded" the system to service pack 5.

A couple months later, I switched back to the program. Hadn't made a single change to the program. Guess what, this little graphics package was suddenly giving me memory access errors. No changes except that service pack.

Service packs are dangerous. If you have a system that you think is "working just fine" I can *easily* understand not wanting to apply a service pack. You don't know when a service pack is going to break something, or, even worse, fix something that your program depended on being broken.

I'm not saying not to apply security hotfixes... but bear in mind you may be introducing problems, as well as correcting problems.

How about the reason that SQL server installs with user sa and no password. Why does most apps that use SQL hard code this fact into the app so you CANT change the password. How about the fact that corperate won't allow latest service packs to be installed,(I'm not allowed to have anything more than SP3 on the NT here... I obviously go against their "rules" to ensure safety, but I could be terminated for doing so.

(NOTE: I work for one of the largest corperations on the planet. we aint no rinky-dink operation)

How about the fact that SP5 basically broke every NT server on the planet, so we are afraid to apply patches from MS....

First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.

Secondly NT service packs do have a reputation of breaking stuff more then fixing them. This is partialy just 'FUD', but it has happend @ my company a few times that a sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days.. This kind of horrors strongly demotivates sys admins from just downloading the service pack, and installing it..

That's a good question. Microsoft has even gone so far with Windows 2000 as to include Windows Update RIGHT ON THE START MENU! Heck, you can even download a little daemon that tells you ever time there's a security patch. Click on it, and it installs. Voila! Stupid admins.

Anti-Linux Jihad: "Every time something goes wrong with Microsoft software all you Linux wackos go nuts claiming that MS sucks and Linux r0x! It's totally unfair, Linux has problems too! And you can set up your MS software to fix the bugs and security holes! Yadda yadda! Fahrvergnugen!"

Pro-Linux Wacko: "This just proves that MS sucks! Their software sucks and causes problems to no end! Microsoft should go to Hell and DIE! And Bill Gates too! Free Software is the One True Way! All hail Richard M. Stallman!"

For example, I can put security.debian.org in my/etc/apt/sources.list, and set cron to run apt-get upgrade nightly. This will automagically install any security patches with no user intervention.

I hope you only do that for your desktop machine, and not any production servers.

An example for why this is a bad idea: I tried upgrading Zope today in response to a security alert for Debian. I install the package as normal, however, when I try to access the web server, it asks for a password, and doesn't accept any valid ones. This is for the front page!

If that had happened during the night, our server would have been unavailable for hours. As it is, I just re-installed the old version, so our downtime was limited to just a few minutes.

I usually try to test out upgrades first, but since the last Zope upgrade went very smoothly, I started to get cocky (and thereby less careful).

the things is that Microsoft doesn't offer any vendor support for basic patches (which are called hotfixes). These patches (which come out a week of two after the announce aren't regression tested or supported by MS. The patches that Red Hat put out a week after most exploits ARE vendor supported. Odd how MS have no confidence in their product.

MS makes admins wait to install monolithic Service packs which not onyl fix my bug, but add funcationaltiy and fix other bugs too. In the process of doing so, they break systems. I don;t know about the 2K certification, but the NT4 MCSE classes told us to never install a service pack unless you needed something fixed and were sure it wouldn't melt the server.

Yes, in theory a site that was cracked through a vulnerability that has an available patch is (or should be considered) negligent.

(IA of course NAL and if you go to Slashdot for legal advice then you are insane.)

Now, here are some practical hurdles that need to be overcome. Say I use my credit card at a web site, and then some strange debits appear on my statement. How do I prove that the web site was cracked? If the web site was cracked, how do I prove that the strange debits were due to the crack, and not to dishonest wait staff at the restaurant where I used the card the week before?

The expense of proving liability probably exceeds recoverable damages for any one person, especially when the crackers are overseas. This could be overcome through class action lawsuits and punitive damages.--
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delenda est Windoze

This isn't as trivial a decision as it may sound. A system which, in theory, can interrupt the user every five minutes to deliver a security patch, is gonna get disabled. Excessively onerous "warnings" are almost as much a problem in software design as the absence of warning signs.

For a shocking example, I refer you to "An Investigation of the Therac-25 Accidents." [vt.edu] Basically, an X-ray device malfunctioned and killed a whole bunch of people in part because it popped up warning messages as a matter of course. The operators got so desensitized to them that they lost their effectiveness, and people got hurt as a result.

The moral of the story: it's important to warn the user when he's doing something dangerous. It's as important to leave him alone and let him get some work done the rest of the time.

It's not always the patch gymnastics required and/or app dependencies that dictate company policies & mindset towards keeping systems up-to-date, nor is it always "Trained Monkey Syndrome" from lack of competent & clued admins. A lot of the time it's the downtime required to fix whatever's broken. Companies in many cases decide the potential risk of getting hacked is outweighed by the measurable cost to fix it... and the cost can be anything from lost ecommerce revenue to lost productivity to employee costs.

I work with some world-class NT engineers and they know their shit. While I give them a hard time for not using a real OS, I have to admit that they've proven to me that it's the quality of the syadmins, not the quality of the OS, that really matters. (I still think windows sucks, but I admit you can make it suck less)

However, even God's Gift to NT can't change the fact that in order to do certain things in windows (service packs in particular) you have to jump through so many hoops, and the multitude of reboots (and hence downtime) from those hoops, that many companies can't or won't afford the downtime. With *nix and most other OS's you aren't nearly so screwed and can address the vast majority of updates/fixes etc without incurring any downtime.

And that is one of the main reasons these known holes in the Windows world are so common and exploited. Not to mention that it has the added bonus of reinforcing the perception that NT Admin==Clueless Monkey which we all love to laugh about.:)

And you are the first person in this discussion to get to the REAL heart of this matter -- it's not 'point-n-drool', it's the fact that MS's patch system is horrific. As NT4 became overly-long in the tooth, it got even worse and worse.

Exactly, Unix admins like to think that they are more on the ball, but the fact of the matter is that they simply have superior tools. In some cases vastly superior tools. Adding the security updates to Debian's apt system makes staying current so incredibly easy that a child could do it. And even crufty old tar balls are better than Microsoft's service pack dance. At least that way you can update only the software that you need to update.

And that's the other part of the problem with Microsoft's Service Packs. Instead of simply fixing the problems that you have and being done with it Microsoft insists on foisting new software updates on their users as well. Nearly every service pack has had some added functionality. This functionality generally wasn't overly helpful either. Many times it served as nothing more than a way for Microsoft to force sysadmins to install software that was important to Microsoft's long term strategy. Why, for example, do I need a web browser on my database server?

Fortunately there is a cure for this madness, and that is to simply avoid Microsoft software where possible. This is emminently practical when it comes to systems that actually face the Internet. Heck, at the very least you could shield your NT servers behind an OpenBSD box with port 80 forwarded to your Windows box. That way if you really felt like you need to use Windows development tools you could shield your vulnerable Windows machines with something specifically designed to thwart attacks.

You're right about avionics - in the year 2001. But in 1950, the avionics gap wasn't anywhere near what it is now. Also, most kills at the time were still gun kills, which are implemented almost exclusively through the skill of the pilot himself.

As I've said for years, a compitent admin for NT costs just as much as a compitent admin for Unix (which 5 years ago was $70k if the binifits were good) NT is easier to setup once you know what to setup. However the difficult part of admining a system is not the setup, but knowing how to do it right. Setting up even the most obscure undocumented mess of an OS is easy compared to the job of knowing the right way to set it up.

NT gives you the ability to fool yourself into thinking that is works so it much be right. You can do the same with any OS, but unix is difficult enough that your research on how to do it will generaly lead you to at least one how to do it right document which gives up a chance. (But of course you can still screw up unix)

"bonus of reinforcing the perception that NT Admin==Clueless Monkey which we all love to laugh about"

Unfortunately the single most responsible party for advancing this perception is microsoft themselves. Every time somebody at microsoft talks about Linux they mention how you don't need engineers or highly trained sysadmins which cost money to use windows. You reap what you sow I guess.

Unfotunately the only assurance you have that SPs won't add features is the word of Microsoft. I for one would not believe one word of anything coming out of the redmond PR machine or it's executives. They say that now but just wait till a competitors product becomes popular then whammo a SP will add a feature which will break that product. Ms has to prove that their word means something and up to now they are batting zero.

Yes, and any particular company has to put all it's eggs in one Server OS basket or risk insanity. So I guess a company should take great comfort that there are OTHER companies somewhere out there that didn't get hit with the exploit that brought them down. Wonderful.

People often fail to realize that each time a service patch is released, it means your system was vulnerable every single day from installation to the day you install it. Each service patch (well, each security-related service pack or hotfix) is in response to a discovered flaw.

With such a wide-sweeping operation as the one detailed in this article, who's to say that the security hole to be addressed by next months' hotfix isn't being exploited right now?

Trained hotfix monkey or 6-digit sysadmin, your IIS system is still vulnerable today to the bugs that go public tomorrow.

Which isn't to say that IIS is alone in this vulnerability, but it's silly to assume that keeping up to date with security patches and revs, be it Windows, Linux, Irix, or whatever, is a panacea to security break-ins. Your e-commerce architecture should be such that the credit cards are never on the same machine as your public server, and that the public server only has the ability to send CC info to the CC database, and never the other way.

Unicenter TNG is not included in the cost of windows so windows is not cheaper then other server operating systems (as a bonus you get to deal with CA what fun!).

Wise is also not included with NT add that to the cost too (might as well add pc-anywhere too).

Windows does not offer a lower TCO because every package must be carefully scrutinized and an install script must be made using wise. This process requires a clued in sysadmin. These sysadmins don't cost less then unix sysadmins.

Your sysadmins must also be able to program in VBscript, jscript, perl or something in order to write complex login scripts once again precluding a cheap easy to find sysadmin.

yeah, and any patch from MS is not going to present stability issues, and of course it will be compatible with all the existing software on the machine.

The worst thing about a lot of sites is the lack of a way to either back out an "upgrade" if it trashes stuff, or a duplicate machine to test that on. I spent a happy 36 hours once trying to undo an "urgent security patch" to MS_SQL Server that made the thing secure all right, the fscking thing wouldn't run at all it was so secure. Never let PHB have root, it just blows your availability out the window(tm)

Actualy since a few service packs for NT4 broke the whole system, and products running on it, the official advice has been "download and install only the required security patches, and check bugtraq often for workarounds".

So monelithic service packages can be good (easy to use) but also quite bad in practise..

The new windows 2000 'windows update' is a good step though (same functionality as Redhat's up2date basicly). It seems to be a good middle-of-the-road style solution that pleases most people.

Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing. NT Admins are usually too busy doing everything from installing Service Pack n and cleaning the CEO's mouse to keep on top of what they were expected to be doing in the first place. Or perhaps its also a "s/he who lives by the Install Wizard dies by the Wizard" situation. It's too easy to do a "lazy install" on a Winserver.

I feel sorry for 'em, and hope this scare finally wakes up some of the CEO's who believe their IT shops will run by themselves because Bill Gates' marketeers told them a Windows server is just as service-free as their PC is. So they have one poor soul doing 5 peoples' IT jobs. *sigh*

Red Hat is no less secure than any other operating system fresh out of the box. In fact, I've always held the opinion that all operating systems are insecure until they've been hardened. It only takes about thirty minutes and one reboot to secure a networked Red Hat box. It takes even less if you use Bastille. The only distro I've seen that cuts this time in half is Mandrake 7.2 and that's because of its ability to select a predefined security setting at install. Even then its still wise to double check the machine afterwards.

Actually, most Linux breaches come from the other stuff distributions contain, not Apache. Apache is wonderfully great about security. Almost as good as the OpenBSD guys. The other Linux packages (ftp anyone?) seem to have more trouble.

I'm a SysAdmin and I work with Linux, Solaris, BSD, and NT/2K. I'm an expensive NT SysAdmin that knows to apply service packs and hotfixes, and have done so since long before Windows Update. Many people prefer to hire a less experienced admin for their NT network becuase they can find them cheaper, and they don't know the difference.

It all comes down to, you get what you pay for in a SysAdmin. Many admins don't know you need to apply these fixes. I've worked for several companies that limited the service packs and fixes that could be applied. When all they allow is Service Pack 3, they get what they deserve.

So...don't blame Microsoft. Blame the companies that don't hire the right people and the clueless admins that don't do their job. We all get busy, but it's time to stop making excuses when you're behind 2 service packs.

Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things.

You don't know what you're talking about. I suspect that it's because your main UNIX experience is probably dealing with Linux systems.

Installing the latest patches for a few dozen Solaris vulnerabilities looks like this:

./install_cluster

Followed by hitting "y" once.

And if we want to add a piece of hardware or change an IP address, we don't have to remove the patches first, make the change, reboot twice, and then reinstall the patches.

I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?

I can install the patches while the OS is active, leave the machines sitting running stably for a week until I get a downtime window, then reboot them for the one or two patches that require that. Can you say the same with NT?

The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.

Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?

Kernel exploits (generally) are only relevant when you have untrusted local users. So, if these were boxes that have multiple hosted sites with shell accounts, it would be a problem. If it's within a single organization, kernel patches aren't that big of a deal, unless its for a specific problem (I'm currently testing a patch to 2.2.18 to fix a VM problem). If you don't have any untrusted local users, you only need to keep your network software updated (Apache, FTP, inetd, etc).

blocking the smb ports would take away "features" as would blocking activeX objects and disabling VBS scripting. MS systems are insecure when used as intended in order to secure them you have to cripple them.

> Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?

Same amount of time.

Yeah, right; you can sit down at NT, and using freely-available tools, set off the process of downloading and installing a Service Pack on hundreds of machines. With nearly zero impact to production jobs in effect on those machines, up until you're ready for the reboot.

Whatever you're smoking, you must have bought it from Microsoft's marketting department, not their engineers.

On Solaris I do this with a shell script, one I can bang out on the command line from memory in 30 seconds. And I can run that shell script from a Linux, HP/UX, AIX, etc. system if I desire, although in practice I'd do it from another Solaris system to minimize confusion.

Hell, it's quicker for me to do this FROM an NT box than it is TO NT boxes.

"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."

NT service packs are a huge pain in the ass. Installing one can break apps (SP 6 and Lotus notes, anyone?), create new security holes, make a (Relatively.) stable system unstable, and more. Often it can be impossible to get approval from management to upgrade like this with no testing. Getting the testing done is a pain because developers are usually more concerned with testing their latest code than worrying about service packs. Sometimes there is just no money for the testing, especially in dotcoms.

What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS, warning them how dangerous it is to provide a CC number to a site running a Microsoft product.

You forgot "Sacrifice a chicken when installing a service pack who's version # is a prime number" !

Anyways, those are all valid points, and is kinda what i ment to say. Most people thing adminning a NT box is simple, since its point and clickey.

Also MS advertising tells them to use NT, since its so much easier to administer and use.

That however does also seem to cause a lot of the NT problems out there. Sure there are some flaws in the design changes made in NT (i still like 3.5 best for stability, 4 is ok, 2k.. dont get me started:P), like moving the GUI and network and IIS services into ring 0 (ie kernel space) so it would be faster then most/all competitors.

Take the design choices made by NT, add some Ms marketing stating that you -dont- need a 6 figure sys admin to controll the boxes, and mix that up with some broken service packs, and you've got a great recipie for missery:)

NOPE, they don't have to notify you. And Yes it's up to you to notice those "funny charges".

What they should do is notify their CC clearing house which will notify VISA, Mastercard, American Express... and then with the data, They can advise the host (users) card service provider/bank and have them run a pattern of activity and notify the customer if something seems wrong.

Ever get that phone call at 7 pm at your home asking "you have done xyz amount of purchases and were confirming that because of different activity it's you" Happen twice this year (2001) so far and had all my cards switched (yes they do it for free).

Offtopic : Protecting yourself
1) only use 1 or 2 cards that are strictly for on line purchasing.
2) give the CC companies the only approved delivery address home and office ( they will thank you for it )
3) when you think you are scammed, file the claim fast and then cancel the card and have them issue a new one.
4) if you on-line bank, do it only from your home and not your office. There are sysadmins that have keyloggers and other snooping devices.

5) this is important Each $ 1000 of credit = about 200 real cash (fense value) to a thief so keep your credit purchase per transaction limit to 300. this way the CC has to veryify the purchase to the 2 known addresses and phone #'s

You may work somewhere big, but you don't know the first thing about SQL server.

Yes, it installs with a blank password by default. However, in over 50 SQL server intstallations, with literally hundreds of MS and third party apps, I have yet to see a single app that has this hardcoded. I would faint at the sight of an app that requires a blank SA password.